SCA: security update for github.com/mattermost/mattermost-plugin-github, github.com/mattermost/mattermost-server (GHSA-r5vf-grcx-5vqp)

medium Tenable Cloud Security Plugin ID 444121

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to
validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain
access to private repositories via modifying the scope parameter in the GitHub authorization URL..
Mattermost Advisory ID: MMSA-2026-00628 (CVE-2026-28735)

Solution

Update the github.com/mattermost/mattermost-plugin-github library and its related packages to version 1.0.1-0.20260318132218-6e6b740c4852 or later.

See Also

https://github.com/advisories/GHSA-r5vf-grcx-5vqp

Plugin Details

Severity: Medium

ID: 444121

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 6/30/2026

Updated: 6/30/2026

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2026-28735

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/26/2026

Vulnerability Publication Date: 5/22/2026

Reference Information

CVE: CVE-2026-28735

cwe: CWE-863